You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/ImpactAnalysis.md
+49-2Lines changed: 49 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -417,8 +417,55 @@ The following experiments each pertain to several of the risks above.
417
417
418
418
# Cryptography
419
419
420
-
> [!WARNING]
421
-
> TODO: Describe requirements and changes to the **Cryptography / Cardano base components**
420
+
The security of the votes cast and the certificates that Leios uses to accept EB blocks depends on the usage of the pairing-based BLS12-381 signature scheme (BLS). This scheme is useful, as it allows for aggregation of public keys and signatures, allowing a big group to signal their approval with one compact artifact. Besides Leios, it is also likely that [Peras](https://github.com/tweag/cardano-peras/issues/128) will use this scheme.
421
+
422
+
This section derives **requirements** for adding BLS signatures to `cardano-base` and sketches **changes** to satisfy them. The scope is limited to cryptographic primitives and their integration into existing classes; vote construction/logic is out of scope. This work should align with [this](https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-05.html) IETF draft.
423
+
424
+
> Note that with the implementation of [CIP-0381](https://cips.cardano.org/cip/CIP-0381)`cardano-base` already contains basic utility functions needed to create these bindings; the work below is thus expanding on that. The impact of the below requirements thus only extends to [this](https://github.com/IntersectMBO/cardano-base/blob/82e09945726a7650540e0656f01331d09018ac97/cardano-crypto-class/src/Cardano/Crypto/EllipticCurve/BLS12_381/Internal.hs) module and probably [this](https://github.com/IntersectMBO/cardano-base/blob/82e09945726a7650540e0656f01331d09018ac97/cardano-crypto-class/src/Cardano/Crypto/DSIGN/Class.hs) outward facing class.
425
+
426
+
## Requirements
427
+
428
+
### Functional
429
+
430
+
-*REQ-BlsTypes*.
431
+
Introduce opaque types for `SecretKey`, `PublicKey`, `Signature`, and `AggSignature` (if needed by consensus).
432
+
-*REQ-BlsKeyGenSecure*.
433
+
Provide secure key generation with strong randomness requirements, resistance to side-channel leakage.
434
+
-*REQ-BlsVariantAbstraction*.
435
+
Support both BLS variants—small public key and small signature—behind a single abstraction. Public APIs are variant-agnostic.
436
+
-*REQ-BlsPoP*.
437
+
Proof-of-Possession creation and verification to mitigate rogue-key attacks.
438
+
-*REQ-BlsSkToPk*.
439
+
Deterministic sk → pk derivation for the chosen variant.
440
+
-*REQ-BlsSignVerify*.
441
+
Signature generation and verification APIs, variant-agnostic and domain-separated (DST supplied by caller). Besides the DST, the interface should also implement a per message augmentation (as the hash to curve function also has in the IETF draft)
442
+
-*REQ-BlsAggregateSignatures*.
443
+
Aggregate a list of public keys and signatures into one
444
+
-*REQ-BlsBatchVerify*.
445
+
Batch verification API for efficient verification of many `(pk, msg, sig)` messages.
446
+
-*REQ-BlsDSIGNIntegration*.
447
+
Provide a `DSIGN` instance so consensus can use BLS via the existing `DSIGN` class, including aggregation-capable helpers where appropriate.
448
+
-*REQ-BlsSerialisation*.
449
+
Deterministic serialisation: `ToCBOR`/`FromCBOR` and raw-bytes for keys/signatures; strict length/subgroup/infinity checks; canonical compressed encodings as per the [Zcash](https://github.com/zcash/librustzcash/blob/6e0364cd42a2b3d2b958a54771ef51a8db79dd29/pairing/src/bls12_381/README.md#serialization) standard for BLS points.
450
+
-*REQ-BlsConformanceVectors*.
451
+
Add conformance tests using test vectors from the [intial](https://github.com/input-output-hk/ouroboros-leios/tree/main/crypto-benchmarks.rs) Rust implementation to ensure cross-impl compatibility.
452
+
453
+
### Non-functional
454
+
455
+
-*REQ-BlsPerfBenchmarks*.
456
+
Benchmark single-verify, aggregate-verify, and batch-verify; report the impact of batching vs individual verification.
457
+
-*REQ-BlsRustParity*.
458
+
Compare performance against the Rust implementation; document gaps and ensure functional parity on vectors.
459
+
-*REQ-BlsDeterminismPortability*.
460
+
Deterministic results across platforms/architectures; outputs independent of CPU feature detection.
461
+
-*REQ-BlsDocumentation*.
462
+
Document the outward facing API in cardano-base and provide example usages. Additionally add a section do's and don'ts with regards to security of this scheme outside the context of Leios (so in general what to look out for).
463
+
464
+
### Remarks
465
+
466
+
- Note that the PoP checks probably are done at the certificate level, and that the above-described API should not be responsible for this.
467
+
- The current code on BLS12-381 already abstracts over both curves `G1`/`G2`, we should maintain this.
468
+
- The `BLST` package also exposes fast verification over many messages and signatures + public keys by doing a combined pairing check. This might be helpful, though it's currently unclear if we can use this speedup. It might be the case, since we have *linear Leios, that this is never needed.
0 commit comments